feat(misconf): Add --misconfig-scanners option (#5670)

2025-12-23 07:29:00 -08:00 · 2023-11-29 16:59:17 -07:00
parent 075d8f6286
commit b5874e3ad3
12 changed files with 55 additions and 0 deletions
--- a/docs/docs/references/configuration/cli/trivy_aws.md
+++ b/docs/docs/references/configuration/cli/trivy_aws.md
@@ -86,6 +86,7 @@ trivy aws [flags]
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
      --max-cache-age duration            The maximum age of the cloud cache. Cached data will be requeried from the cloud provider if it is older than this. (default 24h0m0s)
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
  -o, --output string                     output file name
      --policy-bundle-repository string   OCI registry URL to retrieve policy bundle from (default "ghcr.io/aquasecurity/trivy-policies:0")
      --policy-namespaces strings         Rego namespaces
--- a/docs/docs/references/configuration/cli/trivy_config.md
+++ b/docs/docs/references/configuration/cli/trivy_config.md
@@ -29,6 +29,7 @@ trivy config [flags] DIR
      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
  -o, --output string                     output file name
      --password strings                  password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--- a/docs/docs/references/configuration/cli/trivy_filesystem.md
+++ b/docs/docs/references/configuration/cli/trivy_filesystem.md
@@ -51,6 +51,7 @@ trivy filesystem [flags] PATH
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
--- a/docs/docs/references/configuration/cli/trivy_image.md
+++ b/docs/docs/references/configuration/cli/trivy_image.md
@@ -69,6 +69,7 @@ trivy image [flags] IMAGE_NAME
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
--- a/docs/docs/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md
@@ -60,6 +60,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
      --kubeconfig string                 specify the kubeconfig file path to use
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
  -n, --namespace string                  specify a namespace to scan
      --no-progress                       suppress progress bar
      --node-collector-namespace string   specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
--- a/docs/docs/references/configuration/cli/trivy_repository.md
+++ b/docs/docs/references/configuration/cli/trivy_repository.md
@@ -51,6 +51,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
--- a/docs/docs/references/configuration/cli/trivy_rootfs.md
+++ b/docs/docs/references/configuration/cli/trivy_rootfs.md
@@ -53,6 +53,7 @@ trivy rootfs [flags] ROOTDIR
      --license-confidence-level float    specify license classifier's confidence level (default 0.9)
      --license-full                      eagerly look for licenses in source code headers and license files
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
--- a/docs/docs/references/configuration/cli/trivy_vm.md
+++ b/docs/docs/references/configuration/cli/trivy_vm.md
@@ -47,6 +47,7 @@ trivy vm [flags] VM_IMAGE
      --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan])
      --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
      --no-progress                       suppress progress bar
      --offline-scan                      do not issue API requests to identify dependencies
--- a/docs/docs/references/configuration/config-file.md
+++ b/docs/docs/references/configuration/config-file.md
@@ -267,6 +267,12 @@ misconfiguration:
  # Default is false
  include-non-failures: false
  
+  # Same as '--miconfig-scanners'
+  # Default is all scanners
+  scanners:
+    - dockerfile
+    - terraform
+
  # helm value override configurations
  # set individual values
  helm:
--- a/docs/docs/scanner/misconfiguration/index.md
+++ b/docs/docs/scanner/misconfiguration/index.md
@@ -315,6 +315,15 @@ Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 This section describes misconfiguration-specific configuration.
 Other common options are documented [here](../../configuration/index.md).

+### Enabling a subset of misconfiguration scanners
+It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the `--misconfig-scanners` option.
+This flag takes a comma-separated list of configuration scanner types.
+```bash
+trivy config --misconfig-scanners=terraform,dockerfile .
+```
+
+Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
+
 ### Pass custom policies
 You can pass policy files or directories including your custom policies through `--policy` option.
 This can be repeated for specifying multiple files or directories.
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -6,6 +6,7 @@ import (
 	"fmt"

 	"github.com/hashicorp/go-multierror"
+	"github.com/samber/lo"
 	"github.com/spf13/viper"
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
@@ -480,6 +481,14 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
 		analyzers = append(analyzers, analyzer.TypeSecret)
 	}

+	// Filter only enabled misconfiguration scanners
+	ma, err := filterMisconfigAnalyzers(opts.MisconfigScanners, analyzer.TypeConfigFiles)
+	if err != nil {
+		log.Logger.Errorf("Invalid misconfig scanners specified: %s defaulting to use all misconfig scanners", opts.MisconfigScanners)
+	} else {
+		analyzers = append(analyzers, ma...)
+	}
+
 	// Do not perform misconfiguration scanning when it is not specified.
 	if !opts.Scanners.AnyEnabled(types.MisconfigScanner, types.RBACScanner) {
 		analyzers = append(analyzers, analyzer.TypeConfigFiles...)
@@ -512,6 +521,16 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
 	return analyzers
 }

+func filterMisconfigAnalyzers(included, all []analyzer.Type) ([]analyzer.Type, error) {
+	_, missing := lo.Difference(all, included)
+	if len(missing) > 0 {
+		return nil, xerrors.Errorf("invalid misconfiguration scanner specified %s valid scanners: %s", missing, all)
+	}
+
+	log.Logger.Debugf("Enabling misconfiguration scanners: %s", included)
+	return lo.Without(all, included...), nil
+}
+
 func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfig, types.ScanOptions, error) {
 	target := opts.Target
 	if opts.Input != "" {
--- a/pkg/flag/misconf_flags.go
+++ b/pkg/flag/misconf_flags.go
@@ -3,7 +3,9 @@ package flag
 import (
 	"fmt"

+	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/policy"
+	xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
 )

 // e.g. config yaml:
@@ -73,6 +75,12 @@ var (
 		Default:    fmt.Sprintf("%s:%d", policy.BundleRepository, policy.BundleVersion),
 		Usage:      "OCI registry URL to retrieve policy bundle from",
 	}
+	MisconfigScannersFlag = Flag{
+		Name:       "misconfig-scanners",
+		ConfigName: "misconfiguration.scanners",
+		Default:    xstrings.ToStringSlice(analyzer.TypeConfigFiles),
+		Usage:      "comma-separated list of misconfig scanners to use for misconfiguration scanning",
+	}
 )

 // MisconfFlagGroup composes common printer flag structs used for commands providing misconfiguration scanning.
@@ -89,6 +97,7 @@ type MisconfFlagGroup struct {
 	TerraformTFVars            *Flag
 	CloudformationParamVars    *Flag
 	TerraformExcludeDownloaded *Flag
+	MisconfigScanners          *Flag
 }

 type MisconfOptions struct {
@@ -104,6 +113,7 @@ type MisconfOptions struct {
 	TerraformTFVars         []string
 	CloudFormationParamVars []string
 	TfExcludeDownloaded     bool
+	MisconfigScanners       []analyzer.Type
 }

 func NewMisconfFlagGroup() *MisconfFlagGroup {
@@ -119,6 +129,7 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
 		TerraformTFVars:            &TfVarsFlag,
 		CloudformationParamVars:    &CfParamsFlag,
 		TerraformExcludeDownloaded: &TerraformExcludeDownloaded,
+		MisconfigScanners:          &MisconfigScannersFlag,
 	}
 }

@@ -138,6 +149,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag {
 		f.TerraformTFVars,
 		f.TerraformExcludeDownloaded,
 		f.CloudformationParamVars,
+		f.MisconfigScanners,
 	}
 }

@@ -153,5 +165,6 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 		TerraformTFVars:         getStringSlice(f.TerraformTFVars),
 		CloudFormationParamVars: getStringSlice(f.CloudformationParamVars),
 		TfExcludeDownloaded:     getBool(f.TerraformExcludeDownloaded),
+		MisconfigScanners:       getUnderlyingStringSlice[analyzer.Type](f.MisconfigScanners),
 	}, nil
 }